Data Processing Addendum (12 May 2021). 


This Addendum is the addendum to the HotelREZ MSA and Terms referred to at clause 11 of the 
Terms. 


1. DEFINITIONS 
In this Addendum: 
“Agreement” shall mean the MSA (incorporating the Terms); 
“Applicable Privacy shall mean the UK Data Protection Legislation and any 
Law” other European Union legislation relating to personal 
data and all other legislation and regulatory 
requirements in force from time to time which apply 
to a party relating to the use of personal data 
(including, without limitation, the privacy of electronic 
communications); 
“Controller” shall have the meanings given in the Applicable 
“Processor” and Privacy Law; 
“Data Subject” 
“HotelREZ Services” shall have the meaning set out in the Agreement; 
“Personal Data” shall mean any information relating to an identified or 
identifiable natural person as defined by the 
Applicable Privacy Law, including the category of data 
listed in the Schedule, together with any additional 
such data to which HotelREZ may have access from 
time to time; 
“Privacy Authority shall mean the relevant supervisory authority with 
responsibility for privacy or data protection matters; 
“Process”, shall mean any operation or set of operations which is 
“Processing” or performed upon Personal Data whether or not by 
“Processed” automatic means, including collecting, recording, 
organising, storing, adapting or altering, retrieving, 
consulting, using, disclosing, making available, 
aligning, combining, blocking, erasing and destroying 
Personal Data as defined in the Applicable Privacy 
Law; 
“Sub-Processor” shall mean any processor of Personal Data engaged 
by HotelREZ for the purposes of the provision of the 
HotelREZ Services under the Agreement; 
“UK Data Protection shall mean all applicable data protection and privacy 
Legislation” legislation in force from time to time in the UK 
including without limitation the UK GDPR; the Data 
Protection Act 2018 (and regulations made 
thereunder) (DPA 2018); and the Privacy and 
Electronic Communications Regulations 2003 (SI 
2003/2426) as amended. 
2. PROCESSING OF PERSONAL DATA 
2.1. The parties acknowledge that in relation to the Processing of Personal Data in connection with 
the provision of the HotelREZ Services, the Client shall be the Controller and HotelREZ shall be 
the Processor forthe purposes of the Applicable Privacy Law. 
2.2. HotelREZ undertakes in respect of all Personal Data that it Processes on behalf of the Client that 


at all times it shall only Process such Personal Data (i) for the purposes of providing the 
HotelREZ Services in accordance with the Agreement (ii) in accordance with this Addendum and 
(iii) in accordance with the written instructions of the Client. 


2.3. 


2.4. 


2.5. 


2.6. 


2.7. 


3.1. 


4.2. 


5.1. 


The Client shall ensure that all necessary consents and notices are in place to enable lawful 
transfer of the Personal Data to HotelREZ forthe duration and purposes of the Agreement. 


HotelREZ shall give the Client (at the Client's cost) such co-operation, assistance and 
information as the Client may reasonably request to enable it to comply with its obligations 
under any Applicable Privacy Law (including in responding to any request froma Data Subject 
and in ensuring compliance with its obligations under Applicable Privacy Law with respect to 
security, breach notifications, impact assessments and consultations with supervisory 
authorities or regulators) and shall co-operate and comply with the directions or decisions of a 
relevant Privacy Authority, and in each case within such time as would enable the Client to 
meet any time limit imposed by the Privacy Authority. 


Both parties shall comply with the Applicable Privacy Law to which they are respectively 
subject, and shall not perform their respective obligations under this Addendum in relation to 
Personal Data in sucha way as to cause the other party to breach any of its obligations under 
Applicable Privacy Law. 


HotelREZ shall maintain full and accurate records of its Processing of Personal Data and shall 
(at the Client’s cost) provide such records as soon as reasonably practicable following receipt of 
the Client’s request. 


Nothing in this Addendum shall prevent HotelREZ from Processing Personal Data in accordance 
with the requirements of Applicable Privacy Law provided that it shall first notify the Client 
(unless such notification is prohibited by law). 


PERSONAL DATA SECURITY 


HotelREZ shall ensure that it has in place appropriate technical and organisational measures to 
protect against unauthorised or unlawful processing of Personal Data and against accidental 
loss or destruction of, ordamage to, Personal Data, appropriate to the harmthat might result 
from the unauthorised or unlawful processing or accidental loss, destruction or damage and the 
nature of the data to be protected, having regard to the state of technological development and 
the cost of implementing any measures (those measures may include, where appropriate, 
pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability 
and resilience of its systems and HotelREZ Services, ensuring that availability of and access to 
Personal Data can be restored in a timely manner after an incident, and regularly assessing and 
evaluating the effectiveness of the technical and organisational measures adopted by it). 


PROCESSOR EMPLOYEES - CONFIDENTIALITY 


HotelREZ shall ensure the reliability of any employees who access the Personal Data and ensure 
that such personnel have undergone appropriate training in the care, protection and handling of 
Personal Data and have entered into appropriate confidentiality provisions in relation to the 
Processing of Personal Data. 


HotelREZ will remain liable for any disclosure of Personal Data by each such employee as if it 
had made such disclosure. 


PROCESSING OF PERSONAL DATA OUTSIDE OF THE EUROPEAN ECONOMIC AREA 
(EEA) 


If, in the performance of the HotelREZ Services, HotelREZ transfers any Personal Data to a Sub- 
Processor located, or permits processing of any Personal Data by a Sub-Processor, outside the 
EEA (except if in a country in respect of which a finding of adequacy exists under the Applicable 
Privacy Law), without prejudice to clause 6, HotelREZ shall in advance of any such transfer 
ensure that: 


5.1.1. appropriate safeguards are in place in relation to the transfer; 
5.1.2. the Data Subject has enforceable rights and effective legal remedies; 
5.1.3. an adequate level of protection applies to any Personal Data that is transferred; and 


5.1.4. it complies with instructions notified to it in advance by the Client with respect to the 
processing of the Personal Data. 


6.2. 


6.3. 


6.4. 


6.5. 


7.1. 


8.2. 


USE OF SUB- PROCESSORS 


. The Client acknowledges and agrees (i) that HotelREZ engages Sub-Processors in connection 


with the provision of certain HotelREZ Services and (ii) to HotelREZ’s engagement of the Sub- 
Processors listed in the Schedule (and their subsequent sub-processors) in connection with the 
provision of those HotelREZ Services. Such agreement by the Client shall extend to the 
Processing of Personal Data outside the EEA subject always to clause 5 above, where applicable. 


HotelREZ shall ensure that no Personal Data is outsourced to any other person orentity unless 
and until HotelREZ has (i) imposed legally binding terms no less onerous than those contained 
in this Addendum on such Sub-Processor and (ii) where applicable, HotelREZ has complied with 
clause 5. 


In all cases, HotelREZ shall remain fully liable to the Client for any act or omission performed by 
Sub-Processor or any other third party appointed by it as if they were the acts or omissions of 
HotelREZ. 


Where HotelREZ wishes to appoint a new or replacement Sub-Processor, it shall provide all 
relevant details to the Client by notification on its client portal before allowing the Sub- 
Processor to Process Personal Data in relation to the HotelREZ Services. 


If the Client objects on reasonable grounds to HotelREZ’s proposed appointment, it shall notify 
HotelREZ promptly in writing and in any event within ten days of HotelREZ’s notification. On 
receipt of such objection, HotelREZ shall use reasonable efforts to make available to the Client a 
change in the HotelREZ Services to avoid the Processing of Personal Data by the new or 
replacement Sub-Processor, which the Client shall not reject unreasonably. 


PERSONAL DATA BREACH AND NOTIFICATION REQUIREMENTS 


HotelREZ shall notify the Client in writing as soon as reasonably possible in the circumstances 
after becoming aware of any accidental, unauthorized, or unlawful destruction, loss, alteration, 
or disclosure of, or access to, Personal Data. 


AUDIT 


HotelREZ shall, and shall procure that any Sub-Processor shall, permit the Client, at mutually 
convenient times and subject to compliance with HotelREZ’s or the Sub- Processor’s security, 
health and safety and confidentiality requirements, to have access to its premises, computer 
and other information systems, records, documents and agreements as strictly required by the 
Client to check that HotelREZ and/or its Sub- Processors are complying with their obligations 
under this Addendum. 


HotelREZ shall and shall procure that any Sub-Processor shall permit at its own cost the 
applicable Privacy Authority to conduct a data protection audit with regards to the Processing 
carried out by HotelREZ or the Sub-Processor in accordance with Applicable Privacy Law. 


DELETION OF PERSONAL DATA 


. At the written direction of the Client, HotelREZ will, and will procure that any Sub-Processor will, 


delete or return the Personal Data and all copies thereof to the Client in accordance with the 
retention period listed in the Schedule, unless it is required by Applicable Privacy Law to store 
such Personal Data. 


SCHEDULE 


DATA PROCESSING APPENDIX 


This Schedule, including any relevant attachment, describes the types of Personal Data, and the 
purposes for which that Personal Data may be Processed by HotelREZ. 


HotelIREZ is a company providing hotel representation services including distribution, sales & 
marketing to over 1000 independent hotels and small groups worldwide. 


The Client is a hotel or hotel group providing accommodation services to guests. 


Purpose of the processing 


Subject matter, nature} The provision of technology and marketing servicesto Customer for the purposes of managing itslodging 
business, including but not limited to the making and administration of reservations by guests and 
managing the activities of its personnel. As set out in the Agreement and any related product 
specifications. 


Duration of processing HotelREZ will retain andprocessthe Personal Data forthe term of the Agreementand inaccordance with 
the provisionsof this Addendum regarding the return or deletion of the Personal Data. 


Data subjects Personnel of Customer and otherindividualswho use and access the System and whose activities are 
managed usingthe System. 
Guests using the Customer's lodging services 


Third party agentsbooking on behalfof a guest 


Type of personal data | Customer orthird partyenduser accounts— name and contact information (phone number, mobile phone 
number, or corporate email address) of Customer personnel. 


Customer personnel information — information relating to the activities of Customer personnel in relation to the 
performance of their duties. 


Guest information 


Contact information induding any combination of guest name and postal address, telephone numbers, em ail 
address, optional alternate contacts, or optional travel companions 


Financial data for non-cash payments (credit or debit card numbers, expiration dates, and cardholder names) 


Optional preferences and additional instructionsto the Customer (customer loyalty sche me memberships, 
accommodation preferences, and assistance) 


Data relating to historical travel arrangements of guest. 





Approved Sub Processors 


|VendorName — | Name Functions | Functions performed = 


Salesforce / Pardot Operations and service delivery 


e few 


VFM Leonardo Used for single sign on and hotel image services 


Hotel technology and distribution services 
The Hotels Network Widgets on Booking Engine 
including Bench Direct 

Price bidding Tool on Websites 

API Booking Engine for Properties 


Digital Ocean Host Websites 





Note: the Sub-Processors listed above may themselves engage sub-processors (subsequent 
sub- processors). The subsequent sub-processors are listed on the websites of the respective 
Sub-Processor. You hereby consent to such subsequent sub-processors. We will notify you of 
any new subsequent sub- processors or changes to the subsequent sub-processors as soon as 
reasonably possible after we have been notified ourselves and, in such circumstances, clauses 
6.4 and 6.5 will apply to those subsequent sub- processors as if they were Sub- Processors. 


